new-ecro-helper @5.8.0

Summary

The package publishes verbatim big.js v7.0.1 source (including the upstream copyright header, README, repository URL pointing to MikeMcl/big.js, and the upstream author's email) under the unrelated name new-ecro-helper . The main entry (big.js / big.mjs) has an injected loader block that runs on every require('new-ecro-helper') : try { const doc = require("new-helper"); doc.from_str().then(...).catch(...) } catch (error) { } . The dependency new-helper is declared as ^5.8.1 in package.json, so the semver caret admits any current or future 5.x.y version of that sibling package as the actual delivered payload. All errors from both the require and the invocation are swallowed by empty catch handlers, hiding the activity from the consuming application. The big.js code itself is unmodified and serves only as a cover library to disguise the loader. The net effect on installers: npm install new-ecro-helper pulls new-helper into the dependency tree, and any consumer that requires the package immediately and silently executes code in that sibling package.

Source: amazon-inspector (f0826d146dbc513ac14f403eaa9ba65dffbd04da52c55ff1840ad153dab96e87)